CVE-2014-0085

Fuse: admin user cleartext password appears in logging

Severity Score

2.1

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.

JBoss Fuse no habilitaba contraseñas cifradas por defecto en su uso de Apache Zookeeper. Esto permitió la divulgación de información confidencial a través del registro de usuarios locales. Nota: esta descripción ha sido actualizada. El texto anterior identificaba erróneamente el origen del problema como Zookeeper. Texto anterior: Apache Zookeeper registra contraseñas de administrador en texto claro, lo que permite a los usuarios locales obtener información sensible leyendo el registro.

JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. This issue is a vulnerability in JBoss Fuse's usage of Apache Zookeeper, not in Zookeeper itself as was previously stated.

*Credits: N/A

CVSS Scores

NISTv2 2.1

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-12-03 CVE Reserved
2014-04-14 CVE Published
2023-03-08 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-255: Credentials Management Errors
CWE-522: Insufficiently Protected Credentials

CAPEC

References (3)

URL	Tag	Source
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085	Issue Tracking

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2014-0085	2014-04-14
https://bugzilla.redhat.com/show_bug.cgi?id=1067265	2014-04-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss A-mq Search vendor "Redhat" for product "Jboss A-mq"				6.0.0 Search vendor "Redhat" for product "Jboss A-mq" and version "6.0.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse"				6.0.0 Search vendor "Redhat" for product "Jboss Fuse" and version "6.0.0"		-		Affected